Audit and compliance
Information security audits are a systematic, measurable technical assessment of how well ones’ organizational security policy is employed. Performing regular inspections, along with automated alerts and reports, provides accurate insight into the security posture of an organization. Early into the project, eSimplicity identifies the logging, auditing, and compliance acceptance criteria that are necessary for project success. We pursue DevSecOps auditing and compliance as a means to maintain a state of project readiness, whether this means to remain compliant with specific agency requirements and to be responsive to potential external and internal threats. We use our open-source logging frameworks that integrate to Splunk using powerful dashboards and custom alerts to PagerDuty to enable real-time notifications to actionable operational events.
Vulnerability detection and assessment
Identifying the potential sources for vulnerabilities serves as early input to the DevSecOps practices. Are we using cloud services, open-source and custom code? At eSimplicity, with nearly all of our projects, we combine our delivery pipeline with static, dynamic, image and open source scanning. All of these components can affect your security posture. Our approach automates scanning wherever possible and embeds notifications to Agile team resources when a pipeline scan does not meet specified expectations. With an iterative approach to development with continuous delivery, small changes are isolated and vulnerabilities are more easily identified. After automated scans are complete we introduce periodic penetration tests manual and automated to seek out those potentially complex scenarios that might be exploited when an attacker comes in contact with our applications. In all cases, whether automated or a penetration test eSimplicity tracks any findings to an iterative change and then works to deliver a security resolution as code, process, configuration and/or infrastructure change right into our DevSecOps pipeline.
Just as one person can not be a team, no single team member can address all components to a project’s security posture. DevSecOps is the responsibility of each team member. eSimplicity team members participate in annual training. Our teams participate and lead hands-on project team training including security competencies such as Threat detection, Vulnerability detection, Network intrusion prevention, Firewall management, etc. all using industry-leading tools: Splunk, Burpsuite, HPArcsight, Palantir and Zap.